Feature request: Global and per-user CI variables

Description

We have a lot (almost all) of projects in our Gitlab that build packages through Gitlab CI. packages covers docker images, debian package, Ruby gem, Python, and a lot of other artifacts. After build these package are upload in their respectives repositories, depending of the packaging technology.

I will now details only Debian packaging , but what follow applies in almost all other type of package.

Creating a debian package means, among others things:

• Sign the package a specific (per user) GPG key
• Upload the .deb to a repository, whose hostname is common for all the organisation, like debian.my.org
• Before uploding, login to this repository using specific (per user) credentials.

The hostname of each repositories type is subject to change over time (no control on that), and we want to avoid having it explicitly used in .gitlab-ci.yml, so that we don't have to edit all our projets when a hostname change.

For now, this is what we are using to do that in Gitlab CI:

• An environment variable is set directly in the runners configuration (config.toml file), containing the repository hostname (e.g.: DEBIAN_HOST=debian.my.org).
• We created a generic GPG key (per team), and a generic upload account, that each project of a team set as secret variables. With the solution we have 2 issues:
  • We cannot track per user, it's only per team, at best. Security guys are (with reasons) not really happy.
  • When the password of a generic account expires and need to be changed, each team must edit secret variables of all its projects.

Proposal

Here is a proposal that should cover the previous use cases (which is I think pretty common everywhere), and maybe some other ones that still not occurs.

It consists of adding 2 new level of variables:

• Global variables, that can be defined by admin directly in the Gitlab GUI. Much easier, than runner's config.toml, centralized (no needs to update every runners config), more secured (global variables will not be in clear text file, but stored enrcypted, like actual project variables).
• Per users variables: each user in Gitlab, should have a new section in its profile settings, where it can add any variables he wants. Exactly like project variables. Encrypted as well.

Then, the precedence of the variables in a pipeline can be changed like that:

1. Trigger variables
2. Global secure variables
3. Project secure variables
4. Per user secure variables
5. YAML-defined job-level variables
6. YAML-defined global variables
7. Predefined variables

This way, regarding the previous use case:

• Administrators can define a gobal DEBIAN_HOST and change it easly for all the organisation
• Organisation define a list of variable name each user needs to set in its profile for personnal credential (like DEBUILG_GPG, DEB_REPO_USER, DEB_REPO_PASS). So each user can manage its credential secretly and change passwords at only one place on each pasword expiration for all its projects, full tracking is preserved...

Edit: per user variables can also cover security issue in deployment stage jobs: if the user pushing the job does not have the valid credential in their user variables, the jobs naturally fails. This can also cover the vault security pattern: a centralized vault service contains secrets (credential, ssh key, ssl certificates, ...) needed to build, configure or deploy things. Each user has a personnal account to access the vault, and the vault has ACL telling precisely what secret whom user can access. In Gitlab-CI, user variables can contain only the credential to login to the vault. Then in the job, if the user does not have access to the needed secret in the vault, the job fails. By the way, that part (security and vault pattern) can be covered by gitlab-foss#20367 (closed).

Links / references

Like credential for external services or repository, per users variables can also be used to store a Gitlab API tocken. This will allows scripts in Gitlab CI jobs to use the API to upload files in the Gitlab release representing a tags, add auto comment in a related issue/merge request, ...

In a first iteration, that API token name cas be defined by the user. And In a next iteration, some of the per user variables can be autolocally defined by gitlab, for example the user API token, automatically defined and temporarlly for each build, like the CI registry token.

Changed title: Global and per-user CI variables → Proposal: Global and per-user CI variables

Changed title: Proposal: Global and per-user CI variables → Feature request: Global and per-user CI variables

Added 19173 gitlab-foss14213 labels

We use a vault to store deployment secrets here, and per user variables would be definitively useful to restrict access to some tasks when using manual action. The users with no access key to the vault stored in gitlab wouldn't be able to push to production. A user with access could. It might be a solution for the problem of the user authorization in CI, as described here : gitlab-foss#20261 (closed), when deployment steps require authentication.

There are a lot of related tickets, see for example gitlab-foss#20367 (closed)

Thanks @halberom, I sought for similar issues before posting mines, but didn't found any (which doesn't means there isn't, there is a lot of issues).

But the issue you mentioned is about environment specific variables, which does not covers the use cases I described (it may cover some security concerns, and vault patterns, that I added in the description of the proposal).

Sure, I was a bit terse, and yes they're not identical but definitely I think related. The concept of per environment variables is I think a 3rd layer that should be added in addition to your 2. Might be worth your commenting on gitlab-foss#22445 (closed) because it appears they're starting to prioritise this type of additional feature, and they're focusing on gitlab-foss#20367 (closed) at present.

Mentioned in issue gitlab-foss#20367 (closed)

Rather than global or per-user would it make more sense to make them per-user/per-branch and group level variables like how deploy keys are currently handled?

With the shear amount of issues surrounding secret variables I think it'd probably be best for GitLab to take a unified approach as a lot of these issues are related. It'd probably also be an easy sell for placing some of the features behind gitlab-ee.

Added ~113220 label

Removed ~113220 label

I would also like this feature. My company uses Hashicorp Vault to store secrets and right now GitlabCI has its own authentication token. For traceability purposes, we would very much like being able to run jobs with the user's own token.

How come this has not been implemented yet? Global secure variables is a must.

I would also appreciate per-group variables for FTP deploys, etc..

Customer has opened an issue to show interest in this feature proposal:

ZD: https://gitlab.zendesk.com/agent/tickets/73199

added customer in GitLab FOSS label

added customer+ in GitLab FOSS label

added ci variables in GitLab FOSS label

We similarly need user-level variables for auth to 3rd party vulnerability services etc. and likewise for the deploy pattern described too.

Just fyi, @adam-moss is from https://na34.salesforce.com/0016100000K8E5P?srPos=0&srKp=001 current EES customer site.

mentioned in issue gitlab-foss#12729 (closed)

+1 to allowing third party secret stores. If all of your applications configuration and secrets are already stored in a battle tested secret store, there should just be modularized plugins to grab that data and inject it at build. The builds should also be parameterized, the idea of just using branches is cumbersome :)

For anyone else searching, per-group secret variables are already supported as of 9.4. gitlab-foss#12729 (closed)

moved from gitlab-foss#21770 (moved)

mentioned in commit e620d734